Products Liability and Kaseya’s Ransomware Attack
The recent ransomware attack involving Kaseya’s VSA product has left managed service providers (“MSPs”) and end users evaluating what, if any, legal recourse they may have against Kaseya. The onerous limitations of liability provisions and indemnification clause in the subscription license agreement and reseller terms and conditions may make claims based on breach of contract difficult to justify for end users and MSPs. Prospective litigants may wonder if they could successfully argue that Kaseya should be liable under a theory of products liability for vulnerabilities in its software product.
Initially, fact finders will likely determine whether a contract exists between the injured party and Kaseya. For MSPs and end users that purchased Kaseya directly from Kaseya, the Subscription End User License Agreement (“EULA”) will likely govern the dispute. However, there is a subset of end users that received Kaseya from their MSP who may not have entered into a EULA with Kaseya. Consider the following language in Section 2 of the EULA:
“If the Software is authorized to be used in a multi-tenant environment or as part of a managed services solution (a “Managed Service”), then Licensee hereby agrees that the Software will be used solely in furtherance of Licensee’s provision of the Managed Service and not for any other purpose by any unauthorized third party and, if required by Kaseya from time to time in Kaseya’s sole discretion, each User shall accept the terms of an end user license agreement for the Software.” (emphasis added).
This language suggests that there may be instances where end users have not accepted the terms of the EULA and are not necessarily subject to it. There may be arguments for those end users that the onerous provisions of the license agreement do not apply. These provisions include:
- Limitation of liability
- Choice of Florida Law
- Mandatory Florida Venue
- Waiver of Class Action
- Waiver of Jury Trial
If those provisions do not apply, the possible avenues to recovery may expand for those harmed by the ransomware attack. One of those potential claims could be based on products liability, in very limited circumstances.
To establish a recoverable claim for products liability, a plaintiff must prove bodily injury or injury to property (economic damages are not enough) and that the injury was caused by a product or a component of a product. See Prosser, Keeton, Prosser and Keeton on Torts, 5th Edition, West Publishing Co., MN, 1984. Historically, courts concluded that because software was “intangible” in nature, it was not a “product” for purposes of product liability. See Michael C. Gemignani, Product Liability and Software, 8 Rutgers Computer & Tech. L.J. 173 (1981), notes 64-112.
In most of the high-profile cases involving successful products liability for software, the injuries have included multiple deaths. For instance, plaintiffs have succeeded in products liability claims against the manufacturer of radiology software that killed and seriously injured patients, against Toyota after a software bug caused improper acceleration that resulted in serious bodily harm and against Boeing after software apparently caused two crashes that left no survivors. It is not clear, however when the injury is loss to information on a computer, whether either prong of the products liability test would be met.
Kaseya could argue that its remote monitoring and management tool (“RMM”) is a service, not a product. If this argument was successful, the plaintiff could not establish a products liability claim. Even if the plaintiff could overcome this hurdle, it also may be difficult to establish that the loss of access of information contained on a computer hard drive was a sufficient “injury to property” and not merely an economic injury. In either case, the plaintiff would not be successful on his or her products liability claim.
Products liability law is ever-evolving, however, and if a potential litigant could establish that it meets these two necessary elements of a products liability injury, it would be worth considering whether to bring a claim. Scott & Scott can review your potential damages and help you evaluate what kinds of claims, including claims for negligence and gross negligence against Kaseya, may be possible to address injuries caused by ransomware.